Seen “GET /w00tw00t.isc.sans.dfind:)” 400 in your server logs?
This is a vulnerability scan.
Tired of the little wannabe 1337 teens trying to hack your server?
Try this little script I wrote to ban them as soon as they try:
I linked w00t in /etc/init.d and ranupdate-rc.d defaultsto start at bootup
I put ban in /usr/local/binfile logfunctions
#!/bin/bash
#
#This script is a wrapper for a number of other scripts contained inside it.
#
#Usage: $0 scriptname [parameters]
#Allowed scriptnames [parameters]:
# ban [ip] [text]
# checkiptables
# mailovh
# w00t [stop]
#error $? returned:
# 0 no errors
# 1 no scriptname passed
# 2 invalid scriptname passed
# 10 or higher:
# first value denotes executed script, last number denotes return value
# example: 17: script 1, return value 7
# example: 32: script 3, return value 2
# values higher than 99:
# example: 154: script 15, return value 4
# 10: ban: no errors
# 11: ban: no IP passed
# 12: ban: whitelisted IP passed
# 13: ban: localhost|127.0.0.1 passed
# 14: ban: new IP found to ban
# 17: ban: IP is already banned
# 20: checkiptables: no errors
# 21: checkiptables: unable to delete $OUTFILE
# 22: checkiptables: IPs are still being banned
# 23: checkiptables: no IPs are being banned
# 40: w00t: no errors
# 41: w00t: shutdown running process
#100+: exited out of case without exiting the script - unhandled exit, remove 100 to get the actual code
#systemwide variables:
BANLENGTH="1 week"
BANEND=`date +%s --date="$BANLENGTH"`
D=`date`
DS=`date +%s`
DT=`date +%T`
OVHALL="/var/log/ovh_all.log"
OVHLOG="/var/log/ovh.log"
WWWBANNEDIPS="/var/www/bannedips.txt"
CURRENTBANNEDIPS="/etc/banlist"
OUTFILE="$CURRENTBANNEDIPS"+".tmp"
MONITOR="/var/log/apache2/access.log"
#inside the "" add any files you wish to monitor eg /var/log/syslog
WATCHARRAY=("//skin/ggambo6200_board/error\.php?""\"GET //[Pp]hp[Mm]y[Aa]dmin//scripts/setup\.php HTTP/1\.1\"""\"GET //pma/""\"GET /pma/""\"GET /w00t.* HTTP/1\.1\" 400 [0-9]* \".*\" \".*\"""Toata dragostea mea pentru diavola")
WATCHLIST=${WATCHARRAY[0]}
for element in $(seq 1 $((${#WATCHARRAY[@]} - 1)));
do
if [ "$element" != "" ]; then
WATCHLIST="$WATCHLIST|${WATCHARRAY[$element]}"
fi
done
WOOTLOCK="/var/lock/w00t.lock"
SERVERIP="example.com (127.0.0.1)"
#insert your server name and IP here
FROMMAIL="exploits@example.com (example.com monitor)"
# insert your email address here
WHITELIST="127.0.0.1"
# insert a list of whitelisted (non-bannable) IPs here, separated by ' '
#program paths, change to suit your individual system
GREP="/bin/egrep"
# egrep must be egrep, not grep
CAT="/bin/cat"
WHOIS="/usr/bin/whois"
ECHO="/bin/echo"
IPTABLES="/sbin/iptables"
WC="/usr/bin/wc"
AWK="/usr/bin/awk"
CUT="/usr/bin/cut"
CP="/bin/cp"
RM="/bin/rm"
MV="/bin/mv"
TAIL="/usr/bin/tail"
PS="/bin/ps"
SENDMAIL="/usr/sbin/sendmail"
KILL="/bin/kill"
#Main script startif [ "$#" -lt 1 ]; then
#no scriptname passed
$ECHO "$0 scriptname [parameters]"
RETVAL=1
exit $RETVAL
fi
case "$1" in
'ban')
RETVAL=10
if [ "$2" == "" ]; then
$ECHO $0 $1 IP
$ECHO eg: $0 $1 11.22.33.44
let RETVAL+=1
exit $RETVAL
fi
IP=$2
LINE=$3
#echo "BANCHECK $
# 1:$1 2:$IP 3:$3"
if [ "`$ECHO $WHITELIST | $GREP $IP | $WC -l`" -ne 0 ]; then
let RETVAL+=2
exit $RETVAL
fi
if [[ "$IP" == "127.0.0.1" || "$IP" == "localhost" ]]; then
let RETVAL+=3
exit $RETVAL
fi
if [ "`$GREP "$IP" $CURRENTBANNEDIPS | $WC -l`" == "0" ]; then
$ECHO -ne "\n$DT:IP \"$IP\" not found, banning IP \"$IP\" for $BANLENGTH\n"
$ECHO "$BANEND $IP" >> $CURRENTBANNEDIPS
$IPTABLES -A INPUT -s $IP -j DROP
$ECHO $BANEND $IP $LINE >> $WWWBANNEDIPS
let RETVAL+=4
else
let RETVAL+=7
$ECHO -ne "D"
fi
exit $RETVAL
;;
'checkiptables')
RETVAL=20
if [ -e $OUTFILE ]; then
rm $OUTFILE
if [ -e $OUTFILE ]; then
let RETVAL+=1
exit $RETVAL
fi
fi
if [ -f $CURRENTBANNEDIPS ]; then
DH=$(( $DS-3600 ))
$CAT $CURRENTBANNEDIPS | while read line; do
DA=`$ECHO $line | $AWK '{ print $1 }'`
DAO=$(( $DA-604800 ))
IP=`$ECHO $line | $CUT -f2- -d' '`
$ECHO "Checking $IP"
$IPTABLES -D INPUT -s "$IP" -j DROP
$ECHO `date -d "1970-01-01 $DAO sec"`
if [ $DS -ge $DA ]; then
# delete rule
$ECHO "IP $IP released from iptables drop"
else
if [ $DAO -gt $DH ]; then
$ECHO "New IP $IP added in the last hour"
else
$ECHO "IP $IP remains banned from this server"
fi
# ban ip
$ECHO $line>>$OUTFILE
$IPTABLES -A INPUT -s "$IP" -j DROP
fi
done
if [ -e "$OUTFILE" ]; then
$MV -f "$OUTFILE" "$CURRENTBANNEDIPS"
let RETVAL+=2
else
$RM "$CURRENTBANNEDIPS"
let RETVAL+=3
fi
fi
exit $RETVAL
;;
'w00t')
RETVAL=40
if [ -e "$WOOTLOCK" ]; then
#w00t may already be running, terminate process
ls "$WOOTLOCK"
line=`$CAT "$WOOTLOCK"`
if [ "$line" != "" ]; then
$KILL -9 "$line" >> /dev/nul
$RM $WOOTLOCK
fi
fi
if [ "$2" == "stop" ]; then
let RETVAL+=1
exit $RETVAL
fi
PID=0
$TAIL -n +1 -f "$MONITOR" | $GREP --line-buffered "$WATCHLIST" | while read line; do
IP=$( $ECHO $line | $AWK '{ print $1 }' )
$0 ban "$IP" "$line"
if [ "$PID" == "0" ]; then
PID=`$PS au | $GREP "$TAIL -n +1 -f $MONITOR" | $AWK '{ print $2 }'`
$ECHO $PID | $AWK '{ print $1 }' > "$WOOTLOCK"
fi
done
exit $RETVAL
;;
*)
#no scriptname passed
$ECHO "$0 scriptname [parameters]"
RETVAL=2
exit $RETVAL
;;esac
# In theory we should never get this farlet RETVAL+=100exit $RETVAL
Feel free to expand the script but please consider sending me any updates
Apache server logs “GET /w00tw00t.isc.sans.dfind:)” fix
This entry was posted in Uncategorized. Bookmark the permalink.
…why just drop the traffic? That’s no fun!
I’ve got one of those stuck in my TCP Tarpit right now.
Set up LaBrea (see SourceForge) listening on port 8081 and put something like this into your apache conf:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110313 Gentoo Firefox/3.6.15